Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / 1b8b02a4ab0aae072d0891301d1f9d5376e7912b / . / include / forward_unauthorized.hpp
blob: 5d5e744f4746d61281d1b0a6399bf2546eb7c4a6 [file] [log] [blame]
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]1#pragma once
Ed Tanous3ccb3ad2023-01-13 17:40:03 -0800[diff] [blame]2#include "http_request.hpp"
3#include "http_response.hpp"
4#include "http_utility.hpp"
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]5
Ed Tanousc51a58e2023-03-27 14:43:19 -0700[diff] [blame]6#include <boost/url/format.hpp>
7#include <boost/url/url.hpp>
8
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]9namespace forward_unauthorized
10{
11
Ed Tanouscf9e4172022-12-21 09:30:16 -0800[diff] [blame]12// NOLINTNEXTLINE(cppcoreguidelines-avoid-non-const-global-variables)
Ed Tanous4f48d5f2021-06-21 08:27:45 -0700[diff] [blame]13static bool hasWebuiRoute = false;
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]14
Ed Tanousc127a0f2022-05-11 15:23:59 -0700[diff] [blame]15inline void sendUnauthorized(std::string_view url,
16 std::string_view xRequestedWith,
John Edward Broadbent59b98b22021-07-13 15:36:32 -0700[diff] [blame]17 std::string_view accept, crow::Response& res)
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]18{
19 // If it's a browser connecting, don't send the HTTP authenticate
20 // header, to avoid possible CSRF attacks with basic auth
Ed Tanous4a0e1a02022-09-21 15:28:04 -0700[diff] [blame]21 if (http_helpers::isContentTypeAllowed(
22 accept, http_helpers::ContentType::HTML, false /*allowWildcard*/))
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]23 {
24 // If we have a webui installed, redirect to that login page
25 if (hasWebuiRoute)
26 {
Ed Tanousc51a58e2023-03-27 14:43:19 -0700[diff] [blame]27 boost::urls::url forward = boost::urls::format("/?next={}#/login",
28 url);
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]29 res.result(boost::beast::http::status::temporary_redirect);
Ed Tanousd9f6c622022-03-17 09:12:17 -0700[diff] [blame]30 res.addHeader(boost::beast::http::field::location,
Ed Tanousc51a58e2023-03-27 14:43:19 -0700[diff] [blame]31 forward.buffer());
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]32 return;
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]33 }
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]34 // If we don't have a webui installed, just return an unauthorized
35 // body
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]36 res.result(boost::beast::http::status::unauthorized);
Ed Tanous2deee1b2023-03-03 10:32:36 -0800[diff] [blame]37 res.body() =
38 "No authentication provided, and no login UI present to forward to.";
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]39 return;
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]40 }
Ed Tanous347d1a12022-06-22 15:49:37 -0700[diff] [blame]41
42 res.result(boost::beast::http::status::unauthorized);
43
44 // XHR requests from a browser will set the X-Requested-With header when
45 // doing their requests, even though they might not be requesting html.
46 if (!xRequestedWith.empty())
47 {
48 return;
49 }
50 // if basic auth is disabled, don't propose it.
51 if (!persistent_data::SessionStore::getInstance()
52 .getAuthMethodsConfig()
53 .basic)
54 {
55 return;
56 }
Ed Tanousd9f6c622022-03-17 09:12:17 -0700[diff] [blame]57 res.addHeader(boost::beast::http::field::www_authenticate, "Basic");
Ed Tanousd4b6c662021-03-10 13:29:30 -0800[diff] [blame]58}
59} // namespace forward_unauthorized